From afaf21d5c881a85f35a6ff981403f03a99bc7555 Mon Sep 17 00:00:00 2001
From: Manoj Kumar <manojkr.itbhu@gmail.com>
Date: Mon, 23 Feb 2026 11:41:46 +0530
Subject: [PATCH 1/2] fix the permission check when user is not root for
 non-public template

---
 .../main/java/com/cloud/api/query/QueryManagerImpl.java   | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
index 0cec3a38075d..88cef836e496 100644
--- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -4965,15 +4965,13 @@ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(Long temp
                 ex.addProxyObject(template.getUuid(), "templateId");
                 throw ex;
             }
+
             if (!template.isPublicTemplate() && caller.getType() == Account.Type.DOMAIN_ADMIN) {
                 Account template_acc = accountMgr.getAccount(template.getAccountId());
                 DomainVO domain = _domainDao.findById(template_acc.getDomainId());
                 accountMgr.checkAccess(caller, domain);
-            }
-
-            // if template is not public, perform permission check here
-            else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN) {
-                accountMgr.checkAccess(caller, null, false, template);
+            } else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN) { // if template is not public, perform permission check here
+                accountMgr.checkAccess(caller, null, true, template);
             } else if (template.isPublicTemplate()) {
                 accountMgr.checkAccess(caller, null, false, template);
             }

From fe7fc5a392b36577ac5d5daeb39360b5249b7919 Mon Sep 17 00:00:00 2001
From: Manoj Kumar <manojkr.itbhu@gmail.com>
Date: Tue, 7 Apr 2026 10:25:14 +0530
Subject: [PATCH 2/2] consolidate if-else branch

---
 .../src/main/java/com/cloud/api/query/QueryManagerImpl.java  | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
index 88cef836e496..8f418a316b2e 100644
--- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -4970,9 +4970,8 @@ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(Long temp
                 Account template_acc = accountMgr.getAccount(template.getAccountId());
                 DomainVO domain = _domainDao.findById(template_acc.getDomainId());
                 accountMgr.checkAccess(caller, domain);
-            } else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN) { // if template is not public, perform permission check here
-                accountMgr.checkAccess(caller, null, true, template);
-            } else if (template.isPublicTemplate()) {
+            } else if (template.isPublicTemplate() || caller.getType() != Account.Type.ADMIN) {
+                // if template is not public or non-admin caller, perform permission check here
                 accountMgr.checkAccess(caller, null, false, template);
             }